The following issues were found
deps/hiredis/read.c
5 issues
Line: 73
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
r->err = type;
len = strlen(str);
len = len < (sizeof(r->errstr)-1) ? len : (sizeof(r->errstr)-1);
memcpy(r->errstr,str,len);
r->errstr[len] = '\0';
}
static size_t chrtos(char *buf, size_t size, char byte) {
size_t len = 0;
Reported by FlawFinder.
Line: 102
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
static void __redisReaderSetErrorProtocolByte(redisReader *r, char byte) {
char cbuf[8], sbuf[128];
chrtos(cbuf,sizeof(cbuf),byte);
snprintf(sbuf,sizeof(sbuf),
"Protocol error, got %s as reply type byte", cbuf);
__redisReaderSetError(r,REDIS_ERR_PROTOCOL,sbuf);
Reported by FlawFinder.
Line: 290
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
} else if (cur->type == REDIS_REPLY_DOUBLE) {
if (r->fn && r->fn->createDouble) {
char buf[326], *eptr;
double d;
if ((size_t)len >= sizeof(buf)) {
__redisReaderSetError(r,REDIS_ERR_PROTOCOL,
"Double value is too large");
Reported by FlawFinder.
Line: 299
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return REDIS_ERR;
}
memcpy(buf,p,len);
buf[len] = '\0';
if (strcasecmp(buf,",inf") == 0) {
d = INFINITY; /* Positive infinite. */
} else if (strcasecmp(buf,",-inf") == 0) {
Reported by FlawFinder.
Line: 71
Column: 11
CWE codes:
126
/* Set error. */
r->err = type;
len = strlen(str);
len = len < (sizeof(r->errstr)-1) ? len : (sizeof(r->errstr)-1);
memcpy(r->errstr,str,len);
r->errstr[len] = '\0';
}
Reported by FlawFinder.
deps/hiredis/async.c
4 issues
Line: 68
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (dup == NULL)
return NULL;
memcpy(dup,src,sizeof(*dup));
return dup;
}
static int callbackKeyCompare(void *privdata, const void *key1, const void *key2) {
int l1, l2;
Reported by FlawFinder.
Line: 254
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return REDIS_ERR_OOM;
if (source != NULL) {
memcpy(cb,source,sizeof(*cb));
cb->next = NULL;
}
/* Store callback in list */
if (list->head == NULL)
Reported by FlawFinder.
Line: 276
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy callback from heap to stack */
if (target != NULL)
memcpy(target,cb,sizeof(*cb));
hi_free(cb);
return REDIS_OK;
}
return REDIS_ERR;
}
Reported by FlawFinder.
Line: 451
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cb->pending_subs -= 1;
}
memcpy(dstcb,cb,sizeof(*dstcb));
/* If this is an unsubscribe message, remove it. */
if (strcasecmp(stype+pvariant,"unsubscribe") == 0) {
if (cb->pending_subs == 0)
dictDelete(callbacks,sname);
Reported by FlawFinder.
src/t_string.c
4 issues
Line: 480
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (sdslen(value) > 0) {
o->ptr = sdsgrowzero(o->ptr,offset+sdslen(value));
memcpy((char*)o->ptr+offset,value,sdslen(value));
signalModifiedKey(c,c->db,c->argv[1]);
notifyKeyspaceEvent(NOTIFY_STRING,
"setrange",c->argv[1],c->db->id);
server.dirty++;
}
Reported by FlawFinder.
Line: 492
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void getrangeCommand(client *c) {
robj *o;
long long start, end;
char *str, llbuf[32];
size_t strlen;
if (getLongLongFromObjectOrReply(c,c->argv[2],&start,NULL) != C_OK)
return;
if (getLongLongFromObjectOrReply(c,c->argv[3],&end,NULL) != C_OK)
Reported by FlawFinder.
Line: 493
Column: 12
CWE codes:
126
robj *o;
long long start, end;
char *str, llbuf[32];
size_t strlen;
if (getLongLongFromObjectOrReply(c,c->argv[2],&start,NULL) != C_OK)
return;
if (getLongLongFromObjectOrReply(c,c->argv[3],&end,NULL) != C_OK)
return;
Reported by FlawFinder.
Line: 519
Column: 36
CWE codes:
126
if (end < 0) end = strlen+end;
if (start < 0) start = 0;
if (end < 0) end = 0;
if ((unsigned long long)end >= strlen) end = strlen-1;
/* Precondition: end >= 0 && end < strlen, so the only condition where
* nothing can be returned is: start > end. */
if (start > end || strlen == 0) {
addReply(c,shared.emptybulk);
Reported by FlawFinder.
deps/lua/src/lua_cjson.c
4 issues
Line: 116
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
typedef struct {
json_token_type_t ch2token[256];
char escape2char[256]; /* Decoding */
/* encode_buf is only allocated and used when
* encode_keep_buffer is set */
strbuf_t encode_buf;
Reported by FlawFinder.
Line: 153
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int string_len;
} json_token_t;
static const char *char2escape[256] = {
"\\u0000", "\\u0001", "\\u0002", "\\u0003",
"\\u0004", "\\u0005", "\\u0006", "\\u0007",
"\\b", "\\t", "\\n", "\\u000b",
"\\f", "\\r", "\\u000e", "\\u000f",
"\\u0010", "\\u0011", "\\u0012", "\\u0013",
Reported by FlawFinder.
Line: 223
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int json_integer_option(lua_State *l, int optindex, int *setting,
int min, int max)
{
char errmsg[64];
int value;
if (!lua_isnil(l, optindex)) {
value = luaL_checkinteger(l, optindex);
snprintf(errmsg, sizeof(errmsg), "expected integer between %d and %d", min, max);
Reported by FlawFinder.
Line: 821
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
static int json_append_unicode_escape(json_parse_t *json)
{
char utf8[4]; /* Surrogate pairs require 4 UTF-8 bytes */
int codepoint;
int surrogate_low;
int len;
int escape_len = 6;
Reported by FlawFinder.
src/endianconv.c
4 issues
Line: 109
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define UNUSED(x) (void)(x)
int endianconvTest(int argc, char *argv[], int accurate) {
char buf[32];
UNUSED(argc);
UNUSED(argv);
UNUSED(accurate);
Reported by FlawFinder.
Line: 115
Column: 5
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
UNUSED(argv);
UNUSED(accurate);
sprintf(buf,"ciaoroma");
memrev16(buf);
printf("%s\n", buf);
sprintf(buf,"ciaoroma");
memrev32(buf);
Reported by FlawFinder.
Line: 119
Column: 5
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
memrev16(buf);
printf("%s\n", buf);
sprintf(buf,"ciaoroma");
memrev32(buf);
printf("%s\n", buf);
sprintf(buf,"ciaoroma");
memrev64(buf);
Reported by FlawFinder.
Line: 123
Column: 5
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
memrev32(buf);
printf("%s\n", buf);
sprintf(buf,"ciaoroma");
memrev64(buf);
printf("%s\n", buf);
return 0;
}
Reported by FlawFinder.
deps/jemalloc/test/unit/malloc_io.c
4 issues
Line: 109
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
TEST_BEGIN(test_malloc_snprintf_truncated) {
#define BUFLEN 15
char buf[BUFLEN];
size_t result;
size_t len;
#define TEST(expected_str_untruncated, ...) do { \
result = malloc_snprintf(buf, len, __VA_ARGS__); \
assert_d_eq(strncmp(buf, expected_str_untruncated, len-1), 0, \
Reported by FlawFinder.
Line: 141
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
TEST_BEGIN(test_malloc_snprintf) {
#define BUFLEN 128
char buf[BUFLEN];
size_t result;
#define TEST(expected_str, ...) do { \
result = malloc_snprintf(buf, sizeof(buf), __VA_ARGS__); \
assert_str_eq(buf, expected_str, "Unexpected output"); \
assert_zu_eq(result, strlen(expected_str), "Unexpected result");\
Reported by FlawFinder.
Line: 117
Column: 23
CWE codes:
126
assert_d_eq(strncmp(buf, expected_str_untruncated, len-1), 0, \
"Unexpected string inequality (\"%s\" vs \"%s\")", \
buf, expected_str_untruncated); \
assert_zu_eq(result, strlen(expected_str_untruncated), \
"Unexpected result"); \
} while (0)
for (len = 1; len < BUFLEN; len++) {
TEST("012346789", "012346789");
Reported by FlawFinder.
Line: 146
Column: 23
CWE codes:
126
#define TEST(expected_str, ...) do { \
result = malloc_snprintf(buf, sizeof(buf), __VA_ARGS__); \
assert_str_eq(buf, expected_str, "Unexpected output"); \
assert_zu_eq(result, strlen(expected_str), "Unexpected result");\
} while (0)
TEST("hello", "hello");
TEST("50%, 100%", "50%%, %d%%", 100);
Reported by FlawFinder.
deps/lua/src/lua.c
4 issues
Line: 324
Column: 22
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
static int handle_luainit (lua_State *L) {
const char *init = getenv(LUA_INIT);
if (init == NULL) return 0; /* status OK */
else if (init[0] == '@')
return dofile(L, init+1);
else
return dostring(L, init, "=" LUA_INIT);
Reported by FlawFinder.
Line: 178
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int pushline (lua_State *L, int firstline) {
char buffer[LUA_MAXINPUT];
char *b = buffer;
size_t l;
const char *prmt = get_prompt(L, firstline);
if (lua_readline(L, b, prmt) == 0)
return 0; /* no input */
Reported by FlawFinder.
Line: 141
Column: 38
CWE codes:
126
static int dostring (lua_State *L, const char *s, const char *name) {
int status = luaL_loadbuffer(L, s, strlen(s), name) || docall(L, 0, 1);
return report(L, status);
}
static int dolibrary (lua_State *L, const char *name) {
Reported by FlawFinder.
Line: 184
Column: 7
CWE codes:
126
const char *prmt = get_prompt(L, firstline);
if (lua_readline(L, b, prmt) == 0)
return 0; /* no input */
l = strlen(b);
if (l > 0 && b[l-1] == '\n') /* line ends with newline? */
b[l-1] = '\0'; /* remove it */
if (firstline && b[0] == '=') /* first line starts with `=' ? */
lua_pushfstring(L, "return %s", b+1); /* change it to `return' */
else
Reported by FlawFinder.
src/latency.c
4 issues
Line: 67
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Returns 1 if Transparent Huge Pages support is enabled in the kernel.
* Otherwise (or if we are unable to check) 0 is returned. */
int THPIsEnabled(void) {
char buf[1024];
FILE *fp = fopen("/sys/kernel/mm/transparent_hugepage/enabled","r");
if (!fp) return 0;
if (fgets(buf,sizeof(buf),fp) == NULL) {
fclose(fp);
Reported by FlawFinder.
Line: 69
Column: 16
CWE codes:
362
int THPIsEnabled(void) {
char buf[1024];
FILE *fp = fopen("/sys/kernel/mm/transparent_hugepage/enabled","r");
if (!fp) return 0;
if (fgets(buf,sizeof(buf),fp) == NULL) {
fclose(fp);
return 0;
}
Reported by FlawFinder.
Line: 543
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
for (j = 0; j < LATENCY_TS_LEN; j++) {
int i = (ts->idx + j) % LATENCY_TS_LEN;
int elapsed;
char buf[64];
if (ts->samples[i].time == 0) continue;
/* Update min and max. */
if (seq->length == 0) {
min = max = ts->samples[i].latency;
Reported by FlawFinder.
Line: 45
Column: 37
CWE codes:
126
}
uint64_t dictStringHash(const void *key) {
return dictGenHashFunction(key, strlen(key));
}
void dictVanillaFree(dict *d, void *val);
dictType latencyTimeSeriesDictType = {
Reported by FlawFinder.
src/tracking.c
4 issues
Line: 127
Column: 35
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
addReplyErrorFormat(c,
"Prefix '%s' overlaps with an existing prefix '%s'. "
"Prefixes for a single client must not overlap.",
(unsigned char *)prefixes[i]->ptr,
(unsigned char *)collision);
sdsfree(collision);
raxStop(&ri);
return 0;
}
Reported by FlawFinder.
Line: 144
Column: 31
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
addReplyErrorFormat(c,
"Prefix '%s' overlaps with another provided prefix '%s'. "
"Prefixes for a single client must not overlap.",
(unsigned char *)prefixes[i]->ptr,
(unsigned char *)prefixes[j]->ptr);
return i;
}
}
}
Reported by FlawFinder.
Line: 145
Column: 31
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
"Prefix '%s' overlaps with another provided prefix '%s'. "
"Prefixes for a single client must not overlap.",
(unsigned char *)prefixes[i]->ptr,
(unsigned char *)prefixes[j]->ptr);
return i;
}
}
}
return 1;
Reported by FlawFinder.
Line: 517
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Create the array reply with the list of keys once, then send
* it to all the clients subscribed to this prefix. */
char buf[32];
size_t len = ll2string(buf,sizeof(buf),count);
sds proto = sdsempty();
proto = sdsMakeRoomFor(proto,count*15);
proto = sdscatlen(proto,"*",1);
proto = sdscatlen(proto,buf,len);
Reported by FlawFinder.
utils/corrupt_rdb.c
4 issues
Line: 23
Column: 5
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
exit(1);
}
srand(time(NULL));
char *filename = argv[1];
cycles = atoi(argv[2]);
fd = open(filename,O_RDWR);
if (fd == -1) {
perror("open");
Reported by FlawFinder.
Line: 25
Column: 14
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
srand(time(NULL));
char *filename = argv[1];
cycles = atoi(argv[2]);
fd = open(filename,O_RDWR);
if (fd == -1) {
perror("open");
exit(1);
}
Reported by FlawFinder.
Line: 26
Column: 10
CWE codes:
362
srand(time(NULL));
char *filename = argv[1];
cycles = atoi(argv[2]);
fd = open(filename,O_RDWR);
if (fd == -1) {
perror("open");
exit(1);
}
fstat(fd,&stat);
Reported by FlawFinder.
Line: 34
Column: 18
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
fstat(fd,&stat);
while(cycles--) {
unsigned char buf[32];
unsigned long offset = rand()%stat.st_size;
int writelen = 1+rand()%31;
int j;
for (j = 0; j < writelen; j++) buf[j] = (char)rand();
Reported by FlawFinder.